Can malware skip the administrator password popup if it already knows the password on macOS
I have two accounts on my Mac: standard and administrator. I always use the standard account and when I need to perform an action that requires the administrator rights I enter my admin credentials into the popup window. I got curious, is it possible for a malware that was installed in my standard user scope to gain the admin rights skipping the administrator credentials popup if it already possesses the admin password and username for some reason, in other words, can it enter the administrator password in the background so the user won't notice anything? Generally speaking, is it possible for malware to do bigger harm if it knows the administrator credentials somehow? Thanks!
Solution 1:
Yes, specifically, if malware can pop that up, you may already “be toast” so it won’t need to do this since it could just install a key logger and not tip you off.
If you want to learn more about keyloggers or other behaviors that are more solid indications of keylogger, try ReiKey by Objective-See is excellent.
LuLu and KnockKnock are excellent as well as general tools in this (malware and PUP) space:
- https://objective-see.com/products/lulu.html
- https://objective-see.com/products/knockknock.html
When you are prompted for the password, normally that’s the OS asking for your password and very low chance that your password is about to be compromised. Malware could be about to run, but it’s not likely and not likely about to capture your password. The program asking for the password doesn’t get your password, just temporary admin rights.
What it does with those rights is the worrisome part, malware or not. It could install a key logger or persistent processes - those are worrisome.
Worst case, some malware could craft a dialog like your password and fool you to escalate privileges, but this is an unlikely possible scenario.
Anything is possible, especially if you are a high value target. For most people, tricking you or just running something that’s not signed is the risk here - not losing control of a strong and unique admin password.
Solution 2:
Yes, it is ordinarily fully possible for malware that knows the administrator user's username and password to gain administrator's rights in the background without displaying the popup.
It is difficult to say in general how much harm malware can do with or without knowing credentials. Certainly the malware knowing the administrator user's username and password makes it easier for it to become privileged and thus be able to do much harm. However malware exists that exploit weakness in the operating system's security in order to obtain privileged access without knowing the username and password of the Administrator user. Avoiding that is best done by keeping the operating system up to date, and not downloading programs from unknown/unreliable sources.